I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

New Jersey's Essex County Clerk Chris Durkin, who asked voters to request ballots from his Hotmail account, protected only by a security question asking his mother's maiden name.

Here’s a security tip for New Jersey’s voting officials: The integrity of your election shouldn’t depend on fraudsters not being able to find out a county clerk’s mother’s maiden name.

Ahead of New Jersey’s experiment in email voting Tuesday as an option for stranded victims of superstorm Sandy, computer scientists warned of two potential problems with the scheme: First, that it opened the election to fraud, tampering and other insecurities, and second, that election officials wouldn’t be prepared for the flood of emails both requesting ballots and then sending them back in.

Now it seems that despite the state’s efforts to address those security issues, the mere problem of scale is starting to overwhelm officials, creating new cracks in the system and even causing one county to switch to a Hotmail address for ballot requests, protected only by a basic password recovery security question.

In response to security criticisms of New Jersey’s last-minute creation of the email voting workaround, the state government’s website clarified on Monday night that any emailed votes would have to be followed up with a physical ballot by mail as an added security measure to prevent spoofed or altered votes.

But despite that security fix, other problems have already sprung up: New Jerseyites in Morris and Essex counties have reported that their emails were bouncing when they requested ballots or returned them, as first reported by Buzzfeed Monday evening.

“Oh no! email box for Essex County Clerk’s box is full. No one can email in their ballots,” writes one New Jerseyite, Anne Mai Bertelsen, on Twitter.

On Tuesday morning, Essex County Clerk Chris Durkin went so far as to suggest on his Facebook page that voters wrote should request ballots from his Hotmail account rather than the official email address.

“You could keep sleuthing until you find his mother’s maiden name, and then you have access to all these emails from voters,” Soltani says. “If nothing else, you could delete them all. Or you could send phishing emails to hijack accounts, install malware, whatever you want to do.”

Ahead of election day, University of Pennsylvania computer scientist Matt Blaze warned that New Jersey officials were likely failing to take into account the size of the problem of dealing with tens or hundreds of thousands of email-based votes. “There are a number of ways this process could be disrupted deliberately, and a number of ways it could fail under its own weight given how hastily it’s been put together,” Blaze told me.

On Monday night, he reiterated that warning in a prescient tweet: “Most important technical caution for NJ: scale matters more than you think.”

If New Jersey’s makeshift email voting represents anything about the technological future of elections, that’s a lesson more officials should heed.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

I was a bit surprised when I saw that NJ was going to allow this…and I know that those serving in the Military can already do this……but it seemed to be a quick decision and one that should be prepared for months in advance.